SYMBOLCOMMON_NAMEaka. SYNONYMS
win.akdoortea (Back to overview)

AkdoorTea

Actor(s): WageMole

VTCollection    

AkdoorTea is a simple TCP RAT.

In August 2025, it was contained in a trojanized Nvidia CUDA toolkit package, delivered probably via the ClickFix technique. The package also contained an obfuscated BeaverTail payload, which suggests its attribution to the Contagious Interview campaigns.

AkdoorTea uses Base64 encryption combined with a single-byte XOR key for network traffic obfuscation.

The RAT supports five commands, one of which is to report its internal version, which is "01.01".

Its name was inspired by the similarity to a TCP RAT, referred to as "Akdoor", that was used in attacks leveraging ActiveX exploits against South Korean targets in April 2018.

References
2025-09-25Virus BulletinMatěj Havránek, Peter Kálnai
DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception
BeaverTail OtterCookie InvisibleFerret PylangGhost AkdoorTea GolangGhost Tropidoor TsunamiKit
2025-09-25ESET ResearchMatěj Havránek, Peter Kálnai
DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception
BeaverTail OtterCookie InvisibleFerret PylangGhost AkdoorTea GolangGhost Tropidoor TsunamiKit
Yara Rules
[TLP:WHITE] win_akdoortea_auto (20260504 | Detects win.akdoortea.)
rule win_akdoortea_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.akdoortea."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.akdoortea"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6bd038 8955e0 8b048df8204200 f644102801 74ba }
            // n = 5, score = 100
            //   6bd038               | imul                edx, eax, 0x38
            //   8955e0               | mov                 dword ptr [ebp - 0x20], edx
            //   8b048df8204200       | mov                 eax, dword ptr [ecx*4 + 0x4220f8]
            //   f644102801           | test                byte ptr [eax + edx + 0x28], 1
            //   74ba                 | je                  0xffffffbc

        $sequence_1 = { 50 e8???????? 83c418 c7850cecffff04010000 }
            // n = 4, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   c7850cecffff04010000     | mov    dword ptr [ebp - 0x13f4], 0x104

        $sequence_2 = { 6a00 50 e8???????? 83c40c c7873404000000000000 8d442410 c7873804000000000000 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   c7873404000000000000     | mov    dword ptr [edi + 0x434], 0
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   c7873804000000000000     | mov    dword ptr [edi + 0x438], 0

        $sequence_3 = { 57 8d85fcf7ffff 56 50 e8???????? 83c418 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   8d85fcf7ffff         | lea                 eax, [ebp - 0x804]
            //   56                   | push                esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_4 = { 0f852c010000 8b0485f8204200 8bcb 83c02e }
            // n = 4, score = 100
            //   0f852c010000         | jne                 0x132
            //   8b0485f8204200       | mov                 eax, dword ptr [eax*4 + 0x4220f8]
            //   8bcb                 | mov                 ecx, ebx
            //   83c02e               | add                 eax, 0x2e

        $sequence_5 = { 8b049554dd4100 898588f8ffff 85c0 0f84ad000000 3bc3 }
            // n = 5, score = 100
            //   8b049554dd4100       | mov                 eax, dword ptr [edx*4 + 0x41dd54]
            //   898588f8ffff         | mov                 dword ptr [ebp - 0x778], eax
            //   85c0                 | test                eax, eax
            //   0f84ad000000         | je                  0xb3
            //   3bc3                 | cmp                 eax, ebx

        $sequence_6 = { 03f7 83c40c 81c120030000 8bf9 }
            // n = 4, score = 100
            //   03f7                 | add                 esi, edi
            //   83c40c               | add                 esp, 0xc
            //   81c120030000         | add                 ecx, 0x320
            //   8bf9                 | mov                 edi, ecx

        $sequence_7 = { 8d95f0f9ffff c785ecf9ffff00000000 8d4a01 0f1f8000000000 8a02 42 84c0 }
            // n = 7, score = 100
            //   8d95f0f9ffff         | lea                 edx, [ebp - 0x610]
            //   c785ecf9ffff00000000     | mov    dword ptr [ebp - 0x614], 0
            //   8d4a01               | lea                 ecx, [edx + 1]
            //   0f1f8000000000       | nop                 dword ptr [eax]
            //   8a02                 | mov                 al, byte ptr [edx]
            //   42                   | inc                 edx
            //   84c0                 | test                al, al

        $sequence_8 = { ffb568fdffff 8d85f4fdffff ffb564fdffff ffb560fdffff 68???????? }
            // n = 5, score = 100
            //   ffb568fdffff         | push                dword ptr [ebp - 0x298]
            //   8d85f4fdffff         | lea                 eax, [ebp - 0x20c]
            //   ffb564fdffff         | push                dword ptr [ebp - 0x29c]
            //   ffb560fdffff         | push                dword ptr [ebp - 0x2a0]
            //   68????????           |                     

        $sequence_9 = { 75f0 8b4dfc 5f c78634040000b8220000 }
            // n = 4, score = 100
            //   75f0                 | jne                 0xfffffff2
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   c78634040000b8220000     | mov    dword ptr [esi + 0x434], 0x22b8

    condition:
        7 of them and filesize < 305152
}
Download all Yara Rules